Reputation: 53
Get email (username) in Claims azure ad b2c signed In with AzureAd like a Social account
I am using starter pack of custom polices with the SocialAndLocalAccounts package to sign in with an Azure Active Directory account.
I customized the flows with custom attributes and it works well for me. I need to receive the email used for the login (username = email).
In RelyingParty I have this OutputClaims
<OutputClaim ClaimTypeReferenceId = "signInName" />
<OutputClaim ClaimTypeReferenceId = "signInNames.emailAddress" PartnerClaimType = "email" />
<OutputClaim ClaimTypeReferenceId = "otherMails" />
When a user signs-in with a local b2c account, I get the email in "signInName" and "email" claims, but when a user signs-in with an AzureAd account , the claims are empty.
How can I get the email? How must I write the custom policies (TrustFrameworkBase and TFExtensions) ?
Can you help me ?
Upvotes: 2
Views: 3465
Answers (1)
Reputation: 14654
When the Azure AD identity is signed-in with for the first time, you must map from the upn claim that is issued by Azure AD to the email claim that is used by Azure AD B2C, so that this email claim can be:
- Written as the otherMails property in the user object to the Azure AD B2C directory.
- Issued by Azure AD B2C in the ID token to the client application.
To map from the upn claim that is issued by Azure AD to the email claim that is used by Azure AD B2C, add a new <OutputClaim /> to the Azure AD authentication technical profile:
<ClaimsProvider>
<Domain>commonaad</Domain>
<DisplayName>Common AAD</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="Common-AAD">
<DisplayName>Multi-Tenant AAD</DisplayName>
<Protocol Name="OpenIdConnect" />
...
<OutputClaims>
...
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="upn" />
</OutputClaims>
...
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
The AAD-UserWriteUsingAlternativeSecurityId technical profile converts the email claim to the otherMails claim by invoking the CreateOtherMailsFromEmail claims transformation and then saves the otherMails claim to the user object.
To issue the email claim in the ID token to your client application, add a new <OutputClaim /> to the relying party technical profile:
<RelyingParty>
<DefaultUserJourney ReferenceId="SignUpOrSignIn" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
...
<OutputClaims>
...
<OutputClaim ClaimTypeReferenceId="otherMails" PartnerClaimType="emails" />
</OutputClaims>
...
</TechnicalProfile>
</RelyingParty>
Upvotes: 1
Related Questions
- Azure Ad b2c: Get email in Claims after successfully Signin in azure ad b2c
- Azure AD B2C claim for username sign up
- Get AzureAD email address from username using Windows API?
- Azure AD B2C missing email claim with local account and user id sign-in
- Azure AD B2C auth with username and e-mail
- Azure B2C - Return email address entered for signing in
- Can we get email and password from authentication from Azure AD B2C
- How to get email address from Azure AD B2C authentication?
- How to get current login user's username & email address in C# Azure B2C authentication without Graph API?
- How to get the email and name from Azure ACS?